Imagine hiring a building contractor to come and work on your house. Not too long after, you hear from a buddy that they were at the local bar, loudly telling everyone not just what kind of security system you use, but the hours that you’re out of the house, the security camera blind spots a burglar could possibly enter from, the code you use for deactivating your alarm, and the place you keep your valuables.
Needless to say, this would be an enormous abuse of trust – to put it mildly. Even if the contractor had no intention of this information being misused, they’d nonetheless be putting you, their paying customer, at considerable risk by sharing all of this information. After all, it would just take one would-be criminal writing down these details for your home to be a sudden target of thieves.
While the analogy isn’t exact, an unnervingly similar scenario involves the leaking of sensitive data by trusted developers. It’s a reminder of why data protection best practices aren’t just a “nice to have,” but an essential part of any self-respecting organization’s cyber security toolkit.
The leaking problem
According to the report, in 2021 organizations leaked upward of 6 million passwords, along with API keys, and assorted other sensitive data. On average, three out of each 1,000 commits to GitHub (a commit is like a snapshot of an entire repository at specific times) leaked a so-called “secret.” Upward of half of these included credentials used to access data storage services, credentials for cloud privaters, private encryption keys, and/or development tools.
A further 10 percent included credentials used for accessing messaging systems as well as version-control platforms. While such secrets aren’t always used for gaining initial access for attackers, they are frequently used as a way to raise the attackers level of privilege and then move laterally into different systems. In other words, the fact that this information can be made public is incredibly dangerous and poses a significant risk for organizations.
It can make targets extremely vulnerable to a data security attack that could potentially result in critical sensitive data being leaked or myriad other negative consequences.
This is just one of the many ways in which data security can be compromised. Organizations looking to do right by both themselves and their users must ensure that they take the right steps to protect all parties involved. This includes looking at both internal and external risks and plugging these gaps. An internal risk in this scenario might involve IT configuration errors, lack of strong passwords, lack of user access management, poor authentication efforts, and more. Meanwhile, an external risk can include social engineering strategies like phishing, attacks on corporate infrastructure like DDoS (distributed denial of service) attacks or SQL injection, and others. Both types of attack could potentially expose targets to malicious behavior from hackers and other bad actors.
They must then ensure that they have a data protection policy in place that carries both a risk tolerance for each data category and then employs the proper authentication and authorization measures to make sure that it’s only the legitimate users who are able to gain access to the information and tools they need – ideally without hamstringing them by making this process more arduous than it needs to be. Only by doing this can they ensure that data is being properly safeguarded against myriad threats.
Putting these protocols in place will only become more critical as increasingly tight regulations are passed regarding data security. With the risk of data security breaches becoming more potentially damaging all the time, rules such as the European Union’s GDPR laws will dictate how organizations must handle their data – and pass out fines and other penalties for those who fail to do so.
Choose the right tools
Fortunately, the tools exist to help with this. In particular, data monitoring and protection solutions can be a big help. Tools like database firewalls, user rights management, data masking and encryption, data loss prevention (DLP) and database activity monitoring can help keep tabs (and other protective measures) on data and take the appropriate actions if something unexpected puts that data at risk. As such, it’s possible to protect against instances in which data may be exposed without the awareness of those in charge of safeguarding it. It’s a smart investment for any organization to make – and it’s getting smarter all the time.
Data protection matters. Whether it’s possible penalties from breaking rules, damaged company reputations, lost trade secrets or whatever else, it’s of the utmost importance that data security is first and foremost in terms of your concerns when it comes to cybersecurity. The bad news: The threat of bad actors in this domain is worse than ever. The good news: There’s never been a better time to find and secure the help you need to protect against them.